From a065fc803cae88f432e75c0ccaff0338eb4d2bc5 Mon Sep 17 00:00:00 2001 From: Stuart Morgan Date: Fri, 18 Dec 2015 21:38:54 +0000 Subject: [PATCH] fixed spacing --- .../windows/gather/ad_groupusers_to_sql.rb | 100 +++++++++--------- 1 file changed, 51 insertions(+), 49 deletions(-) diff --git a/modules/post/windows/gather/ad_groupusers_to_sql.rb b/modules/post/windows/gather/ad_groupusers_to_sql.rb index 89497f45b7..1c1fb2b6e3 100644 --- a/modules/post/windows/gather/ad_groupusers_to_sql.rb +++ b/modules/post/windows/gather/ad_groupusers_to_sql.rb @@ -122,56 +122,58 @@ class Metasploit3 < Msf::Post comments: group_user[13][:value].to_s, title: group_user[14][:value].to_s, accountExpires: group_user[15][:value].to_i, + #Indicates that a given object has had its ACLs changed to a more secure value by the + #system because it was a member of one of the administrative groups (directly or transitively). adminCount: group_user[16][:value].to_i, - # The login script is executed - ADS_UF_SCRIPT: (group_user[7][:value].to_i & 0x00000001) ? 1 : 0, - #The user account is disabled. - ADS_UF_ACCOUNTDISABLE: (group_user[7][:value].to_i & 0x00000002) ? 1 : 0, - #The home directory is required. - ADS_UF_HOMEDIR_REQUIRED: (group_user[7][:value].to_i & 0x00000008) ? 1 : 0, - #The account is currently locked out. - ADS_UF_LOCKOUT: (group_user[7][:value].to_i & 0x00000010) ? 1 : 0, - #No password is required. - ADS_UF_PASSWD_NOTREQD: (group_user[7][:value].to_i & 0x00000020) ? 1 : 0, - #The user cannot change the password. - ADS_UF_PASSWD_CANT_CHANGE: (group_user[7][:value].to_i & 0x00000040) ? 1 : 0, - #The user can send an encrypted password. - ADS_UF_ENCRYPTED_TEXT_PASSWORD_ALLOWED: (group_user[7][:value].to_i & 0x00000080) ? 1 : 0, - #This is an account for users whose primary account is in another domain. This account - #provides user access to this domain, but not to any domain that trusts this domain. - #Also known as a local user account. - ADS_UF_TEMP_DUPLICATE_ACCOUNT: (group_user[7][:value].to_i & 0x00000100) ? 1 : 0, - #This is a default account type that represents a typical user. - ADS_UF_NORMAL_ACCOUNT: (group_user[7][:value].to_i & 0x00000200) ? 1 : 0, - #This is a permit to trust account for a system domain that trusts other domains. - ADS_UF_INTERDOMAIN_TRUST_ACCOUNT: (group_user[7][:value].to_i & 0x00000800) ? 1 : 0, - #This is a computer account for a computer that is a member of this domain. - ADS_UF_WORKSTATION_TRUST_ACCOUNT: (group_user[7][:value].to_i & 0x00001000) ? 1 : 0, - #This is a computer account for a system backup domain controller that is a member of this domain. - ADS_UF_SERVER_TRUST_ACCOUNT: (group_user[7][:value].to_i & 0x00002000) ? 1 : 0, - #The password for this account will never expire. - ADS_UF_DONT_EXPIRE_PASSWD: (group_user[7][:value].to_i & 0x00010000) ? 1 : 0, - #This is an MNS logon account. - ADS_UF_MNS_LOGON_ACCOUNT: (group_user[7][:value].to_i & 0x00020000) ? 1 : 0, - #The user must log on using a smart card. - ADS_UF_SMARTCARD_REQUIRED: (group_user[7][:value].to_i & 0x00040000) ? 1 : 0, - #The service account (user or computer account), under which a service runs, is trusted for Kerberos delegation. - #Any such service can impersonate a client requesting the service. - ADS_UF_TRUSTED_FOR_DELEGATION: (group_user[7][:value].to_i & 0x00080000) ? 1 : 0, - #The security context of the user will not be delegated to a service even if the service - #account is set as trusted for Kerberos delegation. - ADS_UF_NOT_DELEGATED: (group_user[7][:value].to_i & 0x00100000) ? 1 : 0, - #Restrict this principal to use only Data #Encryption Standard (DES) encryption types for keys. - ADS_UF_USE_DES_KEY_ONLY: (group_user[7][:value].to_i & 0x00200000) ? 1 : 0, - #This account does not require Kerberos pre-authentication for logon. - ADS_UF_DONT_REQUIRE_PREAUTH: (group_user[7][:value].to_i & 0x00400000) ? 1 : 0, - #The password has expired - ADS_UF_PASSWORD_EXPIRED: (group_user[7][:value].to_i & 0x00800000) ? 1 : 0, - #The account is enabled for delegation. This is a security-sensitive setting; accounts with - #this option enabled should be strictly controlled. This setting enables a service running - #under the account to assume a client identity and authenticate as that user to other remote - #servers on the network. - ADS_UF_TRUSTED_TO_AUTHENTICATE_FOR_DELEGATION: (group_user[7][:value].to_i & 0x01000000) ? 1 : 0 + #The login script is executed + ADS_UF_SCRIPT: (group_user[7][:value].to_i & 0x00000001) ? 1 : 0, + #The user account is disabled. + ADS_UF_ACCOUNTDISABLE: (group_user[7][:value].to_i & 0x00000002) ? 1 : 0, + #The home directory is required. + ADS_UF_HOMEDIR_REQUIRED: (group_user[7][:value].to_i & 0x00000008) ? 1 : 0, + #The account is currently locked out. + ADS_UF_LOCKOUT: (group_user[7][:value].to_i & 0x00000010) ? 1 : 0, + #No password is required. + ADS_UF_PASSWD_NOTREQD: (group_user[7][:value].to_i & 0x00000020) ? 1 : 0, + #The user cannot change the password. + ADS_UF_PASSWD_CANT_CHANGE: (group_user[7][:value].to_i & 0x00000040) ? 1 : 0, + #The user can send an encrypted password. + ADS_UF_ENCRYPTED_TEXT_PASSWORD_ALLOWED: (group_user[7][:value].to_i & 0x00000080) ? 1 : 0, + #This is an account for users whose primary account is in another domain. This account + #provides user access to this domain, but not to any domain that trusts this domain. + #Also known as a local user account. + ADS_UF_TEMP_DUPLICATE_ACCOUNT: (group_user[7][:value].to_i & 0x00000100) ? 1 : 0, + #This is a default account type that represents a typical user. + ADS_UF_NORMAL_ACCOUNT: (group_user[7][:value].to_i & 0x00000200) ? 1 : 0, + #This is a permit to trust account for a system domain that trusts other domains. + ADS_UF_INTERDOMAIN_TRUST_ACCOUNT: (group_user[7][:value].to_i & 0x00000800) ? 1 : 0, + #This is a computer account for a computer that is a member of this domain. + ADS_UF_WORKSTATION_TRUST_ACCOUNT: (group_user[7][:value].to_i & 0x00001000) ? 1 : 0, + #This is a computer account for a system backup domain controller that is a member of this domain. + ADS_UF_SERVER_TRUST_ACCOUNT: (group_user[7][:value].to_i & 0x00002000) ? 1 : 0, + #The password for this account will never expire. + ADS_UF_DONT_EXPIRE_PASSWD: (group_user[7][:value].to_i & 0x00010000) ? 1 : 0, + #This is an MNS logon account. + ADS_UF_MNS_LOGON_ACCOUNT: (group_user[7][:value].to_i & 0x00020000) ? 1 : 0, + #The user must log on using a smart card. + ADS_UF_SMARTCARD_REQUIRED: (group_user[7][:value].to_i & 0x00040000) ? 1 : 0, + #The service account (user or computer account), under which a service runs, is trusted for Kerberos delegation. + #Any such service can impersonate a client requesting the service. + ADS_UF_TRUSTED_FOR_DELEGATION: (group_user[7][:value].to_i & 0x00080000) ? 1 : 0, + #The security context of the user will not be delegated to a service even if the service + #account is set as trusted for Kerberos delegation. + ADS_UF_NOT_DELEGATED: (group_user[7][:value].to_i & 0x00100000) ? 1 : 0, + #Restrict this principal to use only Data #Encryption Standard (DES) encryption types for keys. + ADS_UF_USE_DES_KEY_ONLY: (group_user[7][:value].to_i & 0x00200000) ? 1 : 0, + #This account does not require Kerberos pre-authentication for logon. + ADS_UF_DONT_REQUIRE_PREAUTH: (group_user[7][:value].to_i & 0x00400000) ? 1 : 0, + #The password has expired + ADS_UF_PASSWORD_EXPIRED: (group_user[7][:value].to_i & 0x00800000) ? 1 : 0, + #The account is enabled for delegation. This is a security-sensitive setting; accounts with + #this option enabled should be strictly controlled. This setting enables a service running + #under the account to assume a client identity and authenticate as that user to other remote + #servers on the network. + ADS_UF_TRUSTED_TO_AUTHENTICATE_FOR_DELEGATION: (group_user[7][:value].to_i & 0x01000000) ? 1 : 0 } run_sqlite_query(db, 'ad_users', sql_param_user)